Microsoft issues mammoth security update, biggest in five years
Fixes 28 flaws in Windows, Office, IE, ActiveX development tools and more
Computerworld - Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago.
Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system. Of the five others, three were judged to be "important," the next step down, and two were pegged as "moderate." The patches were issued in eight updates for Windows, Internet Explorer, Office, SharePoint, Windows Media, and the company's most popular development tools, Visual Basic and Visual Studio.
Researchers agreed that one of the Windows updates should be tops on everyone's to-do list. "There are a few that will stick out for a lot of people," said Andrew Storms, director of security operations at nCircle Network Security Inc. "The GDI is one."
MS08-071, which contains two separate vulnerabilities, both critical, updates the Graphics Device Interface (GDI), the core graphics rendering component of Windows. GDI has been repeatedly patched by Microsoft, most recently in September.
"This looks very similar to MS08-021," said Storms, referring to an April update that patched two other GDI bugs. Like that earlier fix, as well as the one in September, hackers could exploit the vulnerabilities by duping users into opening or viewing malicious Windows Metafile (WMF) images.
"[MS08-071] is something similar to what we saw with WMF files once before this year, and once last year, too," said Amol Sarwate, manager of Qualys Inc.'s vulnerability lab. "It's in the core kernel, it's always there, it's in all versions of Windows and the attack vector is pretty high." Like Storms, Sarwate put the update at the top of his list.
The long-running patch job on GDI will, said Storms, inevitably prompt some to ask whether Microsoft's vaunted Security Development Lifecycle (SDL) process, under which it scrutinizes code as its written for bugs, really works. "Is SDL functioning? I don't know," Storms admitted. "Without seeing the code analysis, it's difficult to presume it's not."
"Yes, I think that's a fair question," said Wolfgang Kandek, chief technology officer at Qualys. "But is it realistic to expect Microsoft to find everything? No, it's not."
Storms said the IE update, MS08-073, would be his next highest update priority, simply because of the number of vulnerabilities it fixes -- four, all critical -- and because of the dominance of Microsoft's browser. After that, it gets murkier. "GDI and IE are certainly top of the list, but beyond that it's a toss-up," he said. "It's going to be difficult for people in the trenches to understand what to go after the first and second."
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!